meta-signing-key: Rename "extra trusted" to "secondary"

The way that the create-user-key-store.sh script creates what it has been calling "extra_system_trusted_key" is really what would be considered a "secondary" trusted key as it is signed by the primary key that we create. To make this clearer, as there are other cases for an "extra trusted system key" that are not this key, update the variables, package names, etc, to reflect "secondary" not "extra system". Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com> Signed-off-by: Tom Rini <trini@konsulko.com>
author: Tom Rini <trini@konsulko.com> 2018-05-16 13:37:54 -0400
committer: Jia Zhang <zhang.jia@linux.alibaba.com> 2018-05-17 20:36:23 +0800
commit: c804f2591498d5d400e12340346e6b190623ddc6 (patch)
tree: 9be53d19d5cdff6f1c63af0c701b117ac7514d00
parent: b7b42cdec7b20be00ea2c344189f5924951d3037 (diff)
download: meta-secure-core-c804f2591498d5d400e12340346e6b190623ddc6.tar.gz
6 files changed, 39 insertions, 39 deletions
diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass
index 03e1b2c..a0cecab 100644
--- a/meta-signing-key/classes/user-key-store.bbclass
+++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -12,7 +12,7 @@ MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d
 MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
 IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
 SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
-EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
+SECONDARY_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
 RPM = '1'
 def vprint(str, d):
@@ -26,9 +26,9 @@ def uks_system_trusted_keys_dir(d):
    set_keys_dir('SYSTEM_TRUSTED', d)
    return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
-def uks_extra_system_trusted_keys_dir(d):
+def uks_secondary_trusted_keys_dir(d):
-    set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)
+    set_keys_dir('SECONDARY_TRUSTED', d)
-    return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
+    return d.getVar('SECONDARY_TRUSTED_KEYS_DIR', True) + '/'
 def uks_modsign_keys_dir(d):
    set_keys_dir('MODSIGN', d)
@@ -173,10 +173,10 @@ def check_system_trusted_keys(d):
        vprint("%s.crt is unavailable" % _, d)
        return False
-def check_extra_system_trusted_keys(d):
+def check_secondary_trusted_keys(d):
-    dir = uks_extra_system_trusted_keys_dir(d)
+    dir = uks_secondary_trusted_keys_dir(d)
-    _ = 'extra_system_trusted_key'
+    _ = 'secondary_trusted_key'
    if not os.path.exists(dir + _ + '.key'):
        vprint("%s.key is unavailable" % _, d)
        return False
@@ -379,13 +379,13 @@ deploy_system_trusted_keys() {
    fi
 }
-deploy_extra_system_trusted_keys() {
+deploy_secondary_trusted_keys() {
-    local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"
+    local deploy_dir="${DEPLOY_KEYS_DIR}/secondary_trusted_keys"
-    if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
+    if [ x"${SECONDARY_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
        install -d "$deploy_dir"
-        cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
+        cp -af "${SECONDARY_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
    fi
 }
@@ -413,8 +413,8 @@ def sanity_check_user_keys(name, may_exit, d):
        _ = check_ima_user_keys(d)
    elif name == 'SYSTEM_TRUSTED':
        _ = check_system_trusted_keys(d)
-    elif name == 'EXTRA_SYSTEM_TRUSTED':
+    elif name == 'SECONDARY_TRUSTED':
-        _ = check_extra_system_trusted_keys(d)
+        _ = check_secondary_trusted_keys(d)
    elif name == 'MODSIGN':
        _ = check_modsign_keys(d)
    elif name == 'RPM':
@@ -440,7 +440,7 @@ def set_keys_dir(name, d):
        d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
 python check_deploy_keys() {
-    for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):
+    for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'SECONDARY_TRUSTED', 'MODSIGN', 'RPM'):
        if d.getVar(_, True) != "1":
            continue
diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf
index 939f71a..e067f6b 100644
--- a/meta-signing-key/conf/layer.conf
+++ b/meta-signing-key/conf/layer.conf
@@ -17,7 +17,7 @@ SIGNING_MODEL ??= "sample"
 SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
 SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
 SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
-SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"
+SAMPLE_SECONDARY_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/secondary_trusted_keys"
 SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
 SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
 SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
@@ -33,7 +33,7 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
 MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
 UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
 SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
-EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"
+SECONDARY_TRUSTED_KEYS_DIR ??= "${SAMPLE_SECONDARY_TRUSTED_KEYS_DIR}"
 MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
 IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
 RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
@@ -50,7 +50,7 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
 BB_HASHBASE_WHITELIST_append += "\
    SYSTEM_TRUSTED_KEYS_DIR \
-    EXTRA_SYSTEM_TRUSTED_KEYS_DIR \
+    SECONDARY_TRUSTED_KEYS_DIR \
    MODSIGN_KEYS_DIR \
    IMA_KEYS_DIR \
    RPM_KEYS_DIR \
diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt
index b7c3493..b7c3493 100644
--- a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt
+++ b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt
diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key
index 0bf56cf..0bf56cf 100644
--- a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key
+++ b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
index 8dd9637..66691cc 100644
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -17,8 +17,8 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
 # For ${PN}-system-trusted-privkey
 SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
-# For ${PN}-extra-system-trusted-privkey
+# For ${PN}-secondary-trusted-privkey
-EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"
+SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
 # For ${PN}-modsign-privkey
 MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
@@ -29,8 +29,8 @@ IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
 # For ${PN}-system-trusted-cert
 SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
-# For ${PN}-extra-system-trusted-cert
+# For ${PN}-secondary-trusted-cert
-EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"
+SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt"
 # For ${PN}-modsign-cert
 MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
@@ -47,10 +47,10 @@ python () {
    d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
    d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
-    pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'
+    pn = d.getVar('PN', True) + '-secondary-trusted-privkey'
    d.setVar('PACKAGES_prepend', pn + ' ')
-    d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
+    d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
-    d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
+    d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
    pn = d.getVar('PN', True) + '-modsign-privkey'
    d.setVar('PACKAGES_prepend', pn + ' ')
@@ -96,13 +96,13 @@ do_install() {
        install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
    fi
-    key_dir="${@uks_extra_system_trusted_keys_dir(d)}"
+    key_dir="${@uks_secondary_trusted_keys_dir(d)}"
-    install -m 0644 "$key_dir/extra_system_trusted_key.crt" \
+    install -m 0644 "$key_dir/secondary_trusted_key.crt" \
-        "${D}${EXTRA_SYSTEM_CERT}"
+        "${D}${SECONDARY_TRUSTED_CERT}"
    if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
-        install -m 0400 "$key_dir/extra_system_trusted_key.key" \
+        install -m 0400 "$key_dir/secondary_trusted_key.key" \
-            "${D}${EXTRA_SYSTEM_PRIV_KEY}"
+            "${D}${SECONDARY_TRUSTED_PRIV_KEY}"
    fi
    key_dir="${@uks_modsign_keys_dir(d)}"
@@ -150,7 +150,7 @@ pkg_postinst_${PN}-rpm-pubkey() {
 PACKAGES = "\
    ${PN}-system-trusted-cert \
-    ${PN}-extra-system-trusted-cert \
+    ${PN}-secondary-trusted-cert \
    ${PN}-modsign-cert \
    ${PN}-ima-cert \
 "
@@ -158,7 +158,7 @@ PACKAGES = "\
 # Note any private key is not available if user key signing model used.
 PACKAGES_DYNAMIC = "\
    ${PN}-system-trusted-privkey \
-    ${PN}-extra-system-trusted-privkey \
+    ${PN}-secondary-trusted-privkey \
    ${PN}-modsign-privkey \
    ${PN}-ima-privkey \
    ${PN}-rpm-pubkey \
@@ -167,8 +167,8 @@ PACKAGES_DYNAMIC = "\
 FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
 CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
-FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
+FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
-CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
+CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
 FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
 CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh
index ddcd31a..eea52df 100755
--- a/meta-signing-key/scripts/create-user-key-store.sh
+++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -98,7 +98,7 @@ SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
 IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
 RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"
 MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"
-EXTRA_SYSTEM_KEYS_DIR="$KEYS_DIR/extra_system_trusted_keys"
+SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys"
 pem2der() {
    local src="$1"
@@ -201,12 +201,12 @@ create_modsign_user_key() {
        "/CN=MODSIGN Certificate/"
 }
-create_extra_system_user_key() {
+create_secondary_user_key() {
-    local key_dir="$EXTRA_SYSTEM_KEYS_DIR"
+    local key_dir="$SECONDARY_TRUSTED_KEYS_DIR"
    [ ! -d "$key_dir" ] && mkdir -p "$key_dir"
-    ca_sign "$key_dir" extra_system_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \
+    ca_sign "$key_dir" secondary_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \
        "/CN=Extra System Trusted Certificate/"
 }
@@ -297,8 +297,8 @@ create_user_keys() {
    echo "Creating the user key for system"
    create_system_user_key
-    echo "Creating the user key for system extra"
+    echo "Creating the user key for system secondary trust"
-    create_extra_system_user_key
+    create_secondary_user_key
    echo "Creating the user key for modsign"
    create_modsign_user_key
author	Tom Rini <trini@konsulko.com>	2018-05-16 13:37:54 -0400
committer	Jia Zhang <zhang.jia@linux.alibaba.com>	2018-05-17 20:36:23 +0800
commit	c804f2591498d5d400e12340346e6b190623ddc6 (patch)
tree	9be53d19d5cdff6f1c63af0c701b117ac7514d00
parent	b7b42cdec7b20be00ea2c344189f5924951d3037 (diff)
download	meta-secure-core-c804f2591498d5d400e12340346e6b190623ddc6.tar.gz

diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 03e1b2c..a0cecab 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -12,7 +12,7 @@ MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d
12	MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'	12	MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
13	IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'	13	IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
14	SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'	14	SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
15	EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'	15	SECONDARY_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
16	RPM = '1'	16	RPM = '1'
17		17
18	def vprint(str, d):	18	def vprint(str, d):
@@ -26,9 +26,9 @@ def uks_system_trusted_keys_dir(d):
26	set_keys_dir('SYSTEM_TRUSTED', d)	26	set_keys_dir('SYSTEM_TRUSTED', d)
27	return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'	27	return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
28		28
29	def uks_extra_system_trusted_keys_dir(d):	29	def uks_secondary_trusted_keys_dir(d):
30	set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)	30	set_keys_dir('SECONDARY_TRUSTED', d)
31	return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'	31	return d.getVar('SECONDARY_TRUSTED_KEYS_DIR', True) + '/'
32		32
33	def uks_modsign_keys_dir(d):	33	def uks_modsign_keys_dir(d):
34	set_keys_dir('MODSIGN', d)	34	set_keys_dir('MODSIGN', d)
@@ -173,10 +173,10 @@ def check_system_trusted_keys(d):
173	vprint("%s.crt is unavailable" % _, d)	173	vprint("%s.crt is unavailable" % _, d)
174	return False	174	return False
175		175
176	def check_extra_system_trusted_keys(d):	176	def check_secondary_trusted_keys(d):
177	dir = uks_extra_system_trusted_keys_dir(d)	177	dir = uks_secondary_trusted_keys_dir(d)
178		178
179	_ = 'extra_system_trusted_key'	179	_ = 'secondary_trusted_key'
180	if not os.path.exists(dir + _ + '.key'):	180	if not os.path.exists(dir + _ + '.key'):
181	vprint("%s.key is unavailable" % _, d)	181	vprint("%s.key is unavailable" % _, d)
182	return False	182	return False
@@ -379,13 +379,13 @@ deploy_system_trusted_keys() {
379	fi	379	fi
380	}	380	}
381		381
382	deploy_extra_system_trusted_keys() {	382	deploy_secondary_trusted_keys() {
383	local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"	383	local deploy_dir="${DEPLOY_KEYS_DIR}/secondary_trusted_keys"
384		384
385	if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then	385	if [ x"${SECONDARY_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
386	install -d "$deploy_dir"	386	install -d "$deploy_dir"
387		387
388	cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"	388	cp -af "${SECONDARY_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
389	fi	389	fi
390	}	390	}
391		391
@@ -413,8 +413,8 @@ def sanity_check_user_keys(name, may_exit, d):
413	_ = check_ima_user_keys(d)	413	_ = check_ima_user_keys(d)
414	elif name == 'SYSTEM_TRUSTED':	414	elif name == 'SYSTEM_TRUSTED':
415	_ = check_system_trusted_keys(d)	415	_ = check_system_trusted_keys(d)
416	elif name == 'EXTRA_SYSTEM_TRUSTED':	416	elif name == 'SECONDARY_TRUSTED':
417	_ = check_extra_system_trusted_keys(d)	417	_ = check_secondary_trusted_keys(d)
418	elif name == 'MODSIGN':	418	elif name == 'MODSIGN':
419	_ = check_modsign_keys(d)	419	_ = check_modsign_keys(d)
420	elif name == 'RPM':	420	elif name == 'RPM':
@@ -440,7 +440,7 @@ def set_keys_dir(name, d):
440	d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')	440	d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
441		441
442	python check_deploy_keys() {	442	python check_deploy_keys() {
443	for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):	443	for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'SECONDARY_TRUSTED', 'MODSIGN', 'RPM'):
444	if d.getVar(_, True) != "1":	444	if d.getVar(_, True) != "1":
445	continue	445	continue
446		446


diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index 939f71a..e067f6b 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf
@@ -17,7 +17,7 @@ SIGNING_MODEL ??= "sample"
17	SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"	17	SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
18	SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"	18	SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
19	SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"	19	SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
20	SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"	20	SAMPLE_SECONDARY_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/secondary_trusted_keys"
21	SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"	21	SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
22	SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"	22	SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
23	SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"	23	SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
@@ -33,7 +33,7 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
33	MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"	33	MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
34	UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"	34	UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
35	SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"	35	SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
36	EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"	36	SECONDARY_TRUSTED_KEYS_DIR ??= "${SAMPLE_SECONDARY_TRUSTED_KEYS_DIR}"
37	MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"	37	MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
38	IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"	38	IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
39	RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"	39	RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
@@ -50,7 +50,7 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
50		50
51	BB_HASHBASE_WHITELIST_append += "\	51	BB_HASHBASE_WHITELIST_append += "\
52	SYSTEM_TRUSTED_KEYS_DIR \	52	SYSTEM_TRUSTED_KEYS_DIR \
53	EXTRA_SYSTEM_TRUSTED_KEYS_DIR \	53	SECONDARY_TRUSTED_KEYS_DIR \
54	MODSIGN_KEYS_DIR \	54	MODSIGN_KEYS_DIR \
55	IMA_KEYS_DIR \	55	IMA_KEYS_DIR \
56	RPM_KEYS_DIR \	56	RPM_KEYS_DIR \


diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt index b7c3493..b7c3493 100644 --- a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt +++ b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt


diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key index 0bf56cf..0bf56cf 100644 --- a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key +++ b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key


diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 8dd9637..66691cc 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -17,8 +17,8 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
17	# For ${PN}-system-trusted-privkey	17	# For ${PN}-system-trusted-privkey
18	SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"	18	SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
19		19
20	# For ${PN}-extra-system-trusted-privkey	20	# For ${PN}-secondary-trusted-privkey
21	EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"	21	SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
22		22
23	# For ${PN}-modsign-privkey	23	# For ${PN}-modsign-privkey
24	MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"	24	MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
@@ -29,8 +29,8 @@ IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
29	# For ${PN}-system-trusted-cert	29	# For ${PN}-system-trusted-cert
30	SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"	30	SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
31		31
32	# For ${PN}-extra-system-trusted-cert	32	# For ${PN}-secondary-trusted-cert
33	EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"	33	SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt"
34		34
35	# For ${PN}-modsign-cert	35	# For ${PN}-modsign-cert
36	MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"	36	MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
@@ -47,10 +47,10 @@ python () {
47	d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))	47	d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
48	d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))	48	d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
49		49
50	pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'	50	pn = d.getVar('PN', True) + '-secondary-trusted-privkey'
51	d.setVar('PACKAGES_prepend', pn + ' ')	51	d.setVar('PACKAGES_prepend', pn + ' ')
52	d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))	52	d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
53	d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))	53	d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
54		54
55	pn = d.getVar('PN', True) + '-modsign-privkey'	55	pn = d.getVar('PN', True) + '-modsign-privkey'
56	d.setVar('PACKAGES_prepend', pn + ' ')	56	d.setVar('PACKAGES_prepend', pn + ' ')
@@ -96,13 +96,13 @@ do_install() {
96	install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"	96	install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
97	fi	97	fi
98		98
99	key_dir="${@uks_extra_system_trusted_keys_dir(d)}"	99	key_dir="${@uks_secondary_trusted_keys_dir(d)}"
100	install -m 0644 "$key_dir/extra_system_trusted_key.crt" \	100	install -m 0644 "$key_dir/secondary_trusted_key.crt" \
101	"${D}${EXTRA_SYSTEM_CERT}"	101	"${D}${SECONDARY_TRUSTED_CERT}"
102		102
103	if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then	103	if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
104	install -m 0400 "$key_dir/extra_system_trusted_key.key" \	104	install -m 0400 "$key_dir/secondary_trusted_key.key" \
105	"${D}${EXTRA_SYSTEM_PRIV_KEY}"	105	"${D}${SECONDARY_TRUSTED_PRIV_KEY}"
106	fi	106	fi
107		107
108	key_dir="${@uks_modsign_keys_dir(d)}"	108	key_dir="${@uks_modsign_keys_dir(d)}"
@@ -150,7 +150,7 @@ pkg_postinst_${PN}-rpm-pubkey() {
150		150
151	PACKAGES = "\	151	PACKAGES = "\
152	${PN}-system-trusted-cert \	152	${PN}-system-trusted-cert \
153	${PN}-extra-system-trusted-cert \	153	${PN}-secondary-trusted-cert \
154	${PN}-modsign-cert \	154	${PN}-modsign-cert \
155	${PN}-ima-cert \	155	${PN}-ima-cert \
156	"	156	"
@@ -158,7 +158,7 @@ PACKAGES = "\
158	# Note any private key is not available if user key signing model used.	158	# Note any private key is not available if user key signing model used.
159	PACKAGES_DYNAMIC = "\	159	PACKAGES_DYNAMIC = "\
160	${PN}-system-trusted-privkey \	160	${PN}-system-trusted-privkey \
161	${PN}-extra-system-trusted-privkey \	161	${PN}-secondary-trusted-privkey \
162	${PN}-modsign-privkey \	162	${PN}-modsign-privkey \
163	${PN}-ima-privkey \	163	${PN}-ima-privkey \
164	${PN}-rpm-pubkey \	164	${PN}-rpm-pubkey \
@@ -167,8 +167,8 @@ PACKAGES_DYNAMIC = "\
167	FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"	167	FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
168	CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"	168	CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
169		169
170	FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"	170	FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
171	CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"	171	CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
172		172
173	FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"	173	FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
174	CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"	174	CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"


diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh index ddcd31a..eea52df 100755 --- a/meta-signing-key/scripts/create-user-key-store.sh +++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -98,7 +98,7 @@ SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
98	IMA_KEYS_DIR="$KEYS_DIR/ima_keys"	98	IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
99	RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"	99	RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"
100	MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"	100	MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"
101	EXTRA_SYSTEM_KEYS_DIR="$KEYS_DIR/extra_system_trusted_keys"	101	SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys"
102		102
103	pem2der() {	103	pem2der() {
104	local src="$1"	104	local src="$1"
@@ -201,12 +201,12 @@ create_modsign_user_key() {
201	"/CN=MODSIGN Certificate/"	201	"/CN=MODSIGN Certificate/"
202	}	202	}
203		203
204	create_extra_system_user_key() {	204	create_secondary_user_key() {
205	local key_dir="$EXTRA_SYSTEM_KEYS_DIR"	205	local key_dir="$SECONDARY_TRUSTED_KEYS_DIR"
206		206
207	[ ! -d "$key_dir" ] && mkdir -p "$key_dir"	207	[ ! -d "$key_dir" ] && mkdir -p "$key_dir"
208		208
209	ca_sign "$key_dir" extra_system_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \	209	ca_sign "$key_dir" secondary_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \
210	"/CN=Extra System Trusted Certificate/"	210	"/CN=Extra System Trusted Certificate/"
211	}	211	}
212		212
@@ -297,8 +297,8 @@ create_user_keys() {
297	echo "Creating the user key for system"	297	echo "Creating the user key for system"
298	create_system_user_key	298	create_system_user_key
299		299
300	echo "Creating the user key for system extra"	300	echo "Creating the user key for system secondary trust"
301	create_extra_system_user_key	301	create_secondary_user_key
302		302
303	echo "Creating the user key for modsign"	303	echo "Creating the user key for modsign"
304	create_modsign_user_key	304	create_modsign_user_key